Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2022-32149

Опубликовано: 11 окт. 2022
Источник: redhat
CVSS3: 7.5
EPSS Низкий

Описание

An attacker may cause a denial of service by crafting an Accept-Language header which ParseAcceptLanguage will take significant time to parse.

A vulnerability was found in the golang.org/x/text/language package. An attacker can craft an Accept-Language header which ParseAcceptLanguage will take significant time to parse. This issue leads to a denial of service, and can impact availability.

Отчет

After careful analysis of the vulnerability Redhat is choosing to keep the vulnerability severity as moderate,the vulnerability exists in the ParseAcceptLanguage function of the golang text/language package,when an attacker could craft an unusually large accept header and due to the parser taking quadratic time complexity to finish, firstly the attacker would have to find a way smuggle an input to the parser and even then this would simply not result in a crash of any kind but more of resource hang which while can be unpleasant,does not equate to any real world damage.

Затронутые пакеты

ПлатформаПакетСостояниеРекомендацияРелиз
Migration Toolkit for Virtualizationmigration-toolkit-virtualization/mtv-must-gather-api-rhel8Not affected
OpenShift Developer Tools and ServicesodoWill not fix
OpenShift Service Mesh 2openshift-golang-builder-containerWill not fix
Red Hat Advanced Cluster Management for Kubernetes 2rhacm2/acm-cluster-proxy-rhel8Will not fix
Red Hat Advanced Cluster Management for Kubernetes 2rhacm2/acmesolver-rhel8Will not fix
Red Hat Advanced Cluster Management for Kubernetes 2rhacm2/acm-search-indexer-rhel8Will not fix
Red Hat Advanced Cluster Management for Kubernetes 2rhacm2/acm-search-v2-api-rhel9Will not fix
Red Hat Advanced Cluster Management for Kubernetes 2rhacm2/agent-service-rhel8Will not fix
Red Hat Advanced Cluster Management for Kubernetes 2rhacm2/assisted-installer-agent-rhel8Will not fix
Red Hat Advanced Cluster Management for Kubernetes 2rhacm2/assisted-installer-reporter-rhel8Will not fix

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Moderate
Дефект:
CWE-407
https://bugzilla.redhat.com/show_bug.cgi?id=2134010golang: golang.org/x/text/language: ParseAcceptLanguage takes a long time to parse complex tags

EPSS

Процентиль: 17%
0.00054
Низкий

7.5 High

CVSS3

Связанные уязвимости

ubuntu логотип

CVE-2022-32149

CVSS3: 7.5
ubuntu
больше 3 лет назад

An attacker may cause a denial of service by crafting an Accept-Language header which ParseAcceptLanguage will take significant time to parse.

nvd логотип

CVE-2022-32149

CVSS3: 7.5
nvd
больше 3 лет назад

An attacker may cause a denial of service by crafting an Accept-Language header which ParseAcceptLanguage will take significant time to parse.

msrc логотип

CVE-2022-32149

CVSS3: 7.5
msrc
больше 1 года назад

Описание отсутствует

debian логотип

CVE-2022-32149

CVSS3: 7.5
debian
больше 3 лет назад

An attacker may cause a denial of service by crafting an Accept-Langua ...

github логотип

GHSA-69ch-w2m2-3vjp

CVSS3: 7.5
github
больше 3 лет назад

golang.org/x/text/language Denial of service via crafted Accept-Language header

EPSS

Процентиль: 17%
0.00054
Низкий

7.5 High

CVSS3